Friday, 30 September 2011

On Wednesday I blogged about being really impressed with the way that a Newham youth group had worked with the people behind the VOME (Visualisation and Other Methods of Expressions) project. Members of the youth group had produced a great music video, very cleverly setting out the principal concerns in song - and in dance moves that may well soon be copied in the clubs when the video goes viral.

Ironically, their reward is that Newham Council have announced the imminent closure of the youth group, so that the building they currently use can be made available to the Canadian Olympic Team for a couple of months next year. Some reward.

Anyway, their video is not out on YouTube yet, so there’s still chance for the staff at the Information Commissioner’s to pip them to the post by releasing a video of their own. Or perhaps they can form a choir to perform a series of songs at the ICO’s Xmas Party.

So, in case the ICO’s staff are up for it, and are on the lookout for a number with a full chorus, they might want to try belting out this one. (After they’ve apologised to Lionel Bart, that is...)

Picture it: The curtain opens to reveal a data controller handing over their £35 annual notification fee to a grey haired man in the cafe around the corner from a workhouse in Wilmslow, cunningly disguised as the Information Commissioner’s Office. The audience’s attention shifts from the data controller to the grey haired man. No, he’s not Gandalf. But he is an enforcer, and educator and a master of data protection. Yes, he’s a Deputy Commissioner. The Director of Data Protection.

He steps forward. He speaks, before singing to an oddly familiar tune.

[DIRECTOR OF DP (spoken)]Mind?!Consider yourself at homeConsider yourself one of the familyWe've taken to you so strongBut my, your privacy policy is too longConsider yourself well inConsider yourself taking our literatureThere isn't a lot to spareWho cares?..Whatever we've got we share!

When it will chance to beYou will seeSome awful daysData breaching daysWhy worry?We will rely on youTo step right in And sort it outThen you can take us out for a curry!

Consider yourself first rateStopping practices we hate,And after some consideration, we can stateConsider yourselfOne of us!

Consider yourself...

[DATA CONTROLLER]At home?

[DIRECTOR OF DP]Consider yourself...

[DATA CONTROLLER]One of the family

[HEAD OF ENFORCEMENT]We've taken to you

[DATA CONTROLLER]So strong

[HEAD OF GOOD PRACTICE]But my

[ENTIRE OFFICE]Your privacy policy is too long.

[DIRECTOR OF DP]Consider yourself...

[HEAD OF CUSTOMER CONTACT]Well in!

[DIRECTOR OF DP]Consider yourself...

[HEAD OF GOOD PRACTICE]Taking our literature

[HEAD OF FINANCE]There isn't a lot to spare

[ALL]Who cares?Whatever we got we share

[DIRECTOR OF DP]Nobody tries to be lah-di-dah or uppity--There’s a drinks machine for all

Only it's wise to be handy with a staple gunWhen the MoJ wants a brawl!

Thursday, 29 September 2011

Thud. Landing in my in-box yesterday was a hefty email from the GSM Association, giving me details of the views of over 4,000 mobile phone users in Singapore, Spain and the UK, on some privacy issues, particularly relating to the use of the mobile Internet and mobile applications. The research follows the January publication of the GSMA’s Mobile Privacy Principles, which described the way in which mobile consumers’ privacy should be respected and protected.

This study was designed to help mobile operators understand to what degree privacy interests were of concern to mobile users, as well as how they influence attitudes towards, and usage of, mobile Internet services and applications.

Overall, it showed that while privacy concerns can discourage consumer engagement with mobile Internet services, mobile applications and advertising, users greatly value the services and the opportunities they bring.

And the chief learning is that it’s necessary to strengthen consumer confidence and trust by giving users meaningful transparency, choice and control over how their personal information is used. So, there’s still a way to go, but consumers generally like what they’re getting.

Key Research Findings

About half of users were concerned about sharing their personal information while using the mobile Internet or mobile applications. Around 81 per cent of mobile users surveyed felt that safeguarding their personal information was very important and 76 per cent said they were very selective about whom they gave their information to. Key areas of user concern, which focused on trust and confidence, were highlighted as behavioural advertising, location-based services, mobile applications and third-party sharing. Other study findings include:

• 89 per cent of users think that it is important to know when personal information is being shared by an application and to be able to turn this off or on; • 89 per cent think it important to have the option of giving permission for personal information to be used by third parties and 78 per cent are concerned with third parties having access to the location of their mobile without permission; • 74 per cent want to be told if their personal information is collected to target them with offers or promotions; and • 92 per cent of respondents have concerns when applications collect personal information without their consent and 79 per cent would like to know when and what type of personal information is being collected.

Practical services such as maps and weather are the most frequently used location-based services and are highly valued by over 70 per cent of respondents. 79 per cent think it is important to have the choice whether to receive location-based advertising with 86 per cent believing it important to be able to turn LBS promotions or advertising on or off.

Over 60 per cent of respondents were familiar with behavioural advertising, with 35 per cent finding it valuable, but 84 per cent thought it important to be able to have the choice whether to receive behavioural advertising that is based on browsing history and 81 per cent remained concerned about receiving behavioural advertising without their consent.

So, it’s somewhat of a thumbs up, and not a “doom and gloom” message for those who fear that a bit more transparency and control will result in customers switching off the behavioural advertising and other tracking technology in droves. The message is pretty clear – if consumers understand what it is that they are trading some of their privacy away for, they are going to be happy with the deal if, in return, they get stuff which is valuable to them.

The trick, therefore, is for the providers of this stuff to make their offerings sufficiently compelling, so that they’re not characterised as money- or privacy-grabbing bodies who simply want to take, rather than give back.

Wednesday, 28 September 2011

To many people, on-line privacy is a joke. To some it's a game. And this morning, on the 49th floor of One Canada Square in Canary Wharf, a select group of people assembled to play a new privacy game.

What am I on about?

Well, a Group of academic researchers from the Information Society Group at Royal Holloway College, University of London, have been working on a 3 year research project with other academics, consultants and Sunderland City Council. They've been learning how young people engage with concepts of information privacy and consent in the on-line world.

It's called the VOME project, which is an acronym for the Visualisation and Other Methods of Expressions project.

What they have learnt has turned their world upside down. In an age where it can be the teenager who does the on-line banking for the family because their parents don't understand the Internet, it seems clear that many of these young people have got a better understanding of what can go on than their parents.

The researchers have also found that young people communicate amongst each other in terms that are vastly different to older generations. Image and attitude can be more important than the actual words that are used. And when the searchers offered a youth group the funds to produce a video explaining their privacy concerns, they were astounded with the results. No, it wasn't a series of talking heads, earnestly discussing privacy issues. These guys had actually produced a music video, very cleverly setting out the principal concerns in song - and in dance moves that may well soon be copied in the clubs when the video goes viral.

Watch out for "Internet Saint or an Internet Demon", which should be out on YouTube pretty soon. You too can be one of the first to have seen it.

Regular readers will appreciate that I also know the value of slipping privacy messages into songs, and am developing a series of ditties based on various privacy issues. You can see some of my earlier efforts in the blogs I posted on 6 November 2009, 16,17,18 & 19 June 2011 and 12 July 2011.

Anyway, back to the on-line privacy game. The developers have found a way to use the rules of a game to model the way that information flows around the online environment as it does in real life. Players seek to collect and use different types of personal information cards. Some of the information can be swapped. Other types of information are supposed to remain private. Each player assumes the identity of a secret character (such as a hacker, online shopper, advertiser or bank. Players then trade cards with each other to obtain the highest scores.

And, to mix up the game, the players have to contend with a "random event" deck. Events such as "super injunction" or "game network hack" make life difficult for the players; perhaps by stopping them from using certain types of cards for a round.

Plans are afoot for this game to feature in the GameCity event in Nottingham, which will be held from 26-29th October. At this event, experienced gamers will be playing it and they'll be invited to develop online prototypes of it.

The game’s good. And it's still I development, although the version we played today was certainly at a very advanced stage. It has all the hallmarks of a great teaching tool. Particularly for those of us who like to learn by doing things, rather than by having a teacher just standing up in front of a class and saying things.

Tuesday, 27 September 2011

The webmasters at the main Government website appear to have ignored the pioneering route the ICO’s team took to ensure compliance with the new cookie rules. Whether it’s absolutely lawful only time will tell, but as it’s the Government’s main website, I think they would be hard pressed to criticise many who adopted their cunning plan.

They’ve found a way of operating their site by giving users the option of objecting to the use of cookies – so long as the users burrow through the cookie explanations until they find the right hyperlinks.

Clever, huh? If it works, certainly.

Read on if you want to learn how they’ve managed this feat.

First, just an explanation of the site. Directgov is the website which is supposed to save public funds by enabling citizens to use this single portal to access all other Government services.

So, from the home page, in just In 3 clicks the user can navigate to the page explaining freedom of information and data protection. Interestingly, as well as briefly outlining the data protection principles, subject access rights and guidance on how to stop direct marketing, it also provides advice on how people can appeal against decisions made by the Information Commissioner. I’ve never seen a popular Government site carrying such prominent advice on how people can appeal against these decisions.

Anyway, the Directgov privacy policy (helpfully located by clicking on the link when you have scrolled to the bottom of the landing page) provides the usual stuff, and explains, in a section headed “Changes to this privacy policy”:

If this privacy policy changes Directgov will update this page. You should visit this page regularly so you know:

The text explains that: Cookies allow Directgov to improve the services we provide, by telling us how people use them. Cookies are also used to make some parts of the website work properly. Find out what cookies Directgov uses and what they're for.

Under the heading “Why Directgov uses cookies” the following explanation is available:

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.

These pieces of information are used to improve services for you through, for example:

• enabling a service to recognise your device so you don't have to give the same information several times during one task• recognising that you may already have given a username and password so you don't need to do it for every web page requested• measuring how many people are using services, so they can be made easier to use and there's enough capacity to ensure they are fast.

And then there’s another hyperlink “Internet browser cookies - what they are and how to manage them”

An interesting section (for the cookie anorak brigade) is called “Your privacy - how cookies are used by Directgov.”

I like it. It contains a list of the cookies that have been found on the websites operated by the companies and and government departments Directgov works with. The list is to be updated as more information emerges.

The section “Cookies for measuring use of services” states that: by understanding how people use Directgov, we can improve the information provided. This also ensures that the service is available when you want it and fast. We use a number of different methods of gathering this data, including services provided by the following companies.

The text then provides details about 5 cookies placed by Speed-Trap and 5 placed by Google Analytics. The details are set out as follows:

Name: jobseekerscsauvtTypical content: which Directgov pages you have visited and whenThis cookie is used by the Directgov jobs and skills search.Expires: 1 year

Name: __utmmobileTypical content: randomly generated numberExpires: 2 yearsFor further details on the cookies set by Google Analytics, users can click on yet another hyperlink.

Then, there’s an explanation about third party advertising cookies:

Where government uses advertising, it wants to make sure that this money is well spent. To help measure this, the following cookies are used on pages which are being marketed.

Then, there’s a section on “Cookies to make specific web services work”. These cookies are sorted into the following types:

Site customisationOnline formsCookies for using personalised answer tools (eg redundancy pay calculator)Cookies for using mobile servicesCookies for using Local Directgov servicesCookies for using Directgov Innovate website - innovate.direct.gov.uk

Another hyperlink leads to more information on how to control or delete cookies. And yet other hyperlinks lead to more information about various cookies placed on some of the sites which can be accessed from the Directgov website.

There are some interesting details about some of the other cookies that are served under the Directgov domain. Virtually all of the cookies expire when the user exits the browser. But, for some reason, those set by the Schools and children centre finder (schoolsfinder.direct.gov.uk) last for 30 years. Don't ask why.

Finally, there are a few words on “Cookies on Directgov from social networking websites”: Directgov has links so you can use social networking websites (eg Facebook and Twitter) with Directgov. For example, you can bookmark and share links using the toolbar at the bottom of each page. These websites may place cookies on your computer. To find out more, users can click on the hyperlink 'How do you use this toolbar?'.

Clever, huh? By not making it too obvious about how to delete the Google Analytics cookies, these guys probably know far more about what users do when they browse onto these websites than the ICO does when users browse on the ICO’s website.

Monday, 26 September 2011

Brid-Aine Parnell of The Register has just posted an interesting statement from Matthew Newman a spokesman for EU Commissioner Viviane Reding.

It gives credence to the blog I posted on 21 September, when I announced: if my chums are to be believed, and believe me, I believe them, I’m likely to enjoy Xmas lunch with my friends and family well before the new draft Data Protection Directive may be published.

Apparently, Matthew Norman has recently said: the reform of the Data Protection Directive is ongoing and our proposals should be released in the next 20 weeks.

Getting my calandar out, that’s awfully close to February 14th.

So there’s even less chance of hearing much about the proposed amendments then, this side of Xmas.

Saturday, 24 September 2011

Blog wars this is not. And nor should this be seen as a note of correction from the Provisional Wing of the mobile telecoms industry’s Rapid Rebuttal Unit. But, occasionally, even the great Chris Pounder makes remark that deserves to be challenged. Or, perhaps as he knows that I’m an avid reader of his blog, he was just trying to get me to comment on the accuracy of what he said.

Good try, Chris. And it is in a spirit of constructive criticism that I challenge his remarks. Not spite. We’re both on the same side – really, we are.

Anyway, readers of his blog will have noticed that yesterday he was commenting (as I did in my posting on 16 September) about the Information Commissioner’s recent appearance before the Justice Committee:

The IC is also concerned about “spamming texts” when they say something like “Our records show that you are in line for a compensation payment of £4,750 for that accident you had. Text CLAIM or STOP". The problem is, the IC said, was that “if you text either, you are confirming that you are there and providing a marketing lead, because these are randomly generated texts”.

The IC added that “We are working very hard with OFCOM and the telecom companies to try to get to the source of these spam texts, but it is a bit like looking for the launch sites of V2 bombers in the Second World War”. I don’t buy this explanation at all: telecom companies that do not know who is using their network. Come off it – they charge for texts don't they?

Believe it or not, Chris, the phone companies (almost certainly) don't know the identities of the bad guys. This is because these guys are applying some clever technology to something that was created over a decade ago. They are very likely to be using anonymous SIM cards. You know, the ones you can get at any newsagent or main railway station, or from a huge variety of retail outlets. And how might they be charging up these SIM cards? By using cash, rather than electronic money.

And these guys will be clever, too. They'll be trying to cover their tracks. And they'll also be relying on the hope that the spambusters who are investigating them won't have the analytical skills and technical toys that, say, the Anti Terrorism Squad probably has. We do need a healthy dose of proportionality in the resources that they have at their command. They are unlikely to have the sort of technology we see on Spooks or the Bourne Identity.

These crooks will also be quite clever in how they operate these spam campaigns. For obvious reasons I don't intend to speculate on how they operate. I don’t want to give the game away. But these crooks also don't know how much the spambusters know about them. They don't know how close they are. Nor do I. But I do hope it won't be too long before the police dogs bark as a specialist team of officials mount a dawn raid and catch them off guard.

So, Chris may have noted that what he Commissioner did not do in his evidence was criticise the phone companies for the part they are playing in disrupting and catching the crooks. Perhaps the Commissioner knows something that Chris Pounder does not.

In conclusion, a plea to Chris: go easy on the telecoms networks please. They may be doing quite a bit more than you think, behind the scenes, but even they won’t yet know just who is behind these scams.

Those to have died on this day include Pompey the Great (48BC), Pyotr Tolstoy 1844), Harpo Marx (1964), Pope John Paul I (1984).

In addition, William the Bastard (as he was known at the time) invaded Britain in 1066, and Sir Alexander Fleming noticed a bacteria-killing mold growing in his laboratory, discovering what later became known as penicillin in 1928.

But did you know that next Wednesday is also the 9th International Right to Know Day?

Well, you do now. And to celebrate it, Christopher Graham, the Information Commissioner will be posting a speech on his youtube site at 10am.

It’s an occasion to commemorate the fact that people around the globe will all be exercising their right to know what their governments are doing. It’s not supposed to turn into a “Subject Access Request fest”, but I bet a few activists will do what they can to exercise whatever rights they can.

Last year Lord McNally, the (Lib Dem) minister responsible for Freedom of Information, said: Government, at national and local level, has become a lot better at delivering information requests. What we are promising to do is release lots of information which was within government, but stayed within government. That’s out there now for those with the initiative to request it. It remains a solid right of the citizen to ask for information. Perhaps Lord Henley, the current (Conservative) minister responsible for Freedom of Information, will provide us with an update.

And what’s the Commissioner going to say? I don’t really know. Other that he wants to mark the occasion with a view on the state of information rights here in the UK: the right to know and the right to privacy.

He is expected to explain why the Information Commissioner’s Office is already a key player in delivering an effective Right to Know; how our responsibility for both the right to know and the right to privacy equips us to assess where the public interest lies; and why the ICO should be an essential partner in delivering the much trumpeted transparency agenda - through to practical reality.

Wednesday, 21 September 2011

If my chums are to be believed, and believe me, I believe them, I’m likely to enjoy Xmas lunch with my friends and family well before the new draft Data Protection Directive may be published.

This probably comes a bad news to lots of us who are aching to leave the iapp's Europe Data Protection Congress in Paris on 29-30 November with a copy of the new draft – or at least a partial understanding of the Commission’s proposals. After all, the Congress is to be addressed by Commissioner Viviane Reding, together with the three wise men of Euro Data Protection Peter Hustinx, European Data Protection Supervisor, Jacob Kohnstamm, Chairman of the Article 29 Working Party, and Peter Schaar, Federal Commissioner for Data Protection and Freedom of Information, Germany. And, the Congress will be packed with other people whose lives are so heavily steeped in this stuff that they also deserve the accolade as one of the “Lords of Data Protection.” You might even see me somewhere in the audience, too.

But I’m not fretting. I just want the Commission to get it right. And I don’t really care how long that takes. So long as it is right, in the end.

Given the pace of technological development though, and of changes in customer perception and attitudes, I appreciate that it will be very hard to develop a Directive that meets the needs of people who don’t quite get know what their needs are, as that technology hasn’t been brought into universal use. But it will. And soon.

Whoever thought that geolocation services would have taken off in the manner that they have done, or that facial tagging (or tattoo tagging) would become so widespread – and so quickly. Or that Governments would feel so threatened by terrorist groups and therefore need to react as they have done? Or that Google+ would have circles of friends, while Facebook has developed different groups of friends? Or that Amazon and Kindle enable the spread of knowledge so easily? Or that, shortly, e-commerce and the creation of new ways of spending e-money may bring forth a data controller with significant knowledge about very significant numbers of us – and that controller may not be “controlled” from within the borders of the European Community?

We live in such interesting times. So let’s continue to concentrate on the items that are currently in our in-trays before anticipating an email with that special package from the Commission.

Image credit:I think this is a brilliant print of the Grand old Duke of York, by Canadian artist Mychael Barratt – you can buy framed copies of this limited edition of 100 prints for just £295 from the Yard Gallery, in Holywood near Belfast.

I’m not suggesting that anyone is behaving like the Grand Old Duke of York, ie getting us all excited and then letting us down again. According to Wikipedia, the oldest version of the song that survives is from 1642, under the title 'Old Tarlton's song', with the lyrics:The King of France with forty thousand men,Came up a hill and so came downe againe.

Tuesday, 20 September 2011

Ouch. I write from experience here. I write from the perspective of someone who has tried hard, several times, to create guides or codes of practice which help others understand what sorts of data protection rules they should actually be following.

In a previous life, while working for the Association of British Insurers, I helped prepare material that explained data protection obligations to insurance companies. Then, I helped prepare material for members of the financial services industry more generally. And, in recent months, I've been putting my mind to the sorts of messages that could be usefully sent to web application developers, and particularly the developers of applications that will sit on mobile devices. These are messages that could be sent by the GSM Association. This bunch represents the interests of mobile phone operators worldwide. Spanning 219 countries, it works with nearly 800 of the world’s mobile operators, as well as more than 200 companies in the broader mobile ecosystem, including handset makers, software companies, equipment providers, internet companies, and media and entertainment groups.

This is the first time that I’ve tried to help out with privacy stuff on a global scale. I haven’t helped out a lot. Just a bit. But let’s be honest, developing British standards can be tough enough. And developing European standards is much, much tougher. So who has the energy and commitment to up the ante even higher and commit themselves full time to developing global standards?

Why do I bother? Even doing the little I do? In moments of despair, I ask myself that question. And the reason is always the same. Mainly, because I care. I want to help people understand the issues they need to consider when they develop fun stuff for other people. But is it actually possible to achieve this when people’s cultural expectations differ so greatly around the globe?

Data protection is never going to be the sort of subject that will be in the forefront of the developer’s mind. "Worthy but dull" is perhaps the best way they will think of it. Data protection is worthy, but it need not be dull. It's increasingly important, and application developers who don't get it are likely to have their internet applications increasingly criticised by regulators. Whether this leads to fewer people wanting those applications is another issue, and I don't propose to comment on that issue in this blog posting.

The real peril comes when a decision has to be made by those who are developing the standards about what standards should be proposed to meet the obligations that have been identified. Should the authors always insist on the highest standard, or could a lesser approach work better? Where should the bar should be placed?

The difficulty of making such decisions is magnified when it is a representative trade association that is creating the guidance. There is always a tension between creating guidance which suits the immediate needs of the businesses for which the guidance is designed, and the longer term needs of the customersof the businesses for which the guidance is designed.

So, with that in mind, it is going to be really interesting (to me, at least) to see where the GSMA will set the bar as it polishes its draft Mobile Privacy Design Guidelines.

For those who don’t already know, the GSMA has had a brilliant idea and it has published, and for several months has been inviting comments on, a discussion document outlining a set of Privacy Design Guidelines for Mobile Application Development (and an annex of illustrative examples). As the GSMA explains: these guidelines seek to articulate the Mobile Privacy Principles in more functional terms and are intended to help drive a more consistent approach to user privacy across mobile platforms, applications and devices. The GSMA welcomes comments from all parties on the guidelines and encourages stakeholders from the broader Information and Communications Technology industry to join in conversation and partnership on this work.

Right. As the discussion document was circulated for comment in April 2011, the consultation period must surely be coming to an end soon. Consequently, it won't be long before some key decisions are made. What sort of decisions need to be made? Well, if I were to get my crystal ball out, I would expect the GSMA to consider, in the light of the responses to its consultation exercise:

• Whether the rules should be designed to point an application developer in the general direction of what they need to do to comply with most of the relevant privacy rules, or whether the rules should offer comprehensive guidance about that to do in every conceivable situation in every relevant country;• Whether the rules should be designed to meet the needs of consumers in specific parts of the world (eg just Europe and the USA), or whether they should meet everyone’s needs, wherever they are on the planet; and – most importantly - • Whether the rules should be offered to its members as an example of good practice, or whether absolute adherence to every rule should be a strict condition of GSMA membership, with members failing to comply being thrown out of the Association.

I don’t know the answers to these questions, nor do I know how the GSMA will decide the answers. But, when they do become publicly known, I expect that I’ll be blogging about them.

Monday, 19 September 2011

I actually think it's impossible to fully safeguard our privacy in the digital age. For most intents and purposes, we can (currently) only be assured of our privacy by returning to an analogue world. This may change in my lifetime. But I don't think that all the tools that are necessary to properly ensure our privacy have yet been created.

Of course, thanks to teams of brilliant software engineers working for companies like Google and Facebook, more privacy is becoming more possible within the social networking world. But, national governments still need to safeguard the security of their citizens (and their States) so it is entirely understandable why we might wish the State to be able to penetrate some of the protective shields we erect to hide some of our actions from our friends and work colleagues.

But where should the lines be drawn? And who should be involved (outside the national security environment, I mean) in sensitive decision which involve judgments about national security?

These are discussions that could be derailed if they are held in too great an atmosphere of transparency. If law enforcement investigators are to make their case effectively, then many of the discussions will need to take place behind closed doors. If they are to reveal the limitations of their current capabilities, then the investigators will have to trust those to whom this information is imparted that they won’t "give the game away". And it can take quite a considerable time for the bonds of trust to be built before constructive discussions can take place.

But, at some stage in the process, it does become necessary to be more transparent about capabilities. Democracy and justice does, after all, allow the defence teams access to virtually all of the material assembled by investigators as they mount a case against a defendant. They are, yes they are, presumed to be innocent until the reverse is established.

And how does a society show its transparency? By ensuring that the rules are as clear as possible and that they are made available to as many people as possible. Here is where Parliaments can play their role. They can review legislative proposals and make sure that the final sets of rules are clear.

Of course, this does not always happen. Politicians can be tempted to approve stuff they have neither read nor have had explained to them. And they can be tempted to leave the implementing details to public officials - who can be placed in the invidious position of being required to implement stuff that didn't make much sense in the first place. Sound familiar? It's certainly where we are on the European privacy front.

So what do I intend to do about it? If I were able to, I would suggest that European policymakers revert back to basics. I would suggest that we give up on the concept that a single set of very detailed rules will deliver positive results in a field in which different sets of cultures deal with each other in different ways. Even within the European Community, we are not the same. We live in different countries and our Governments have distinct sets of rules. We have different economies and different social models. Our people have different cultural expectations of each other. Just as the Euro is facing difficulties as a common currency for so many EU states, so the current Data Protection Directive is facing similar difficulties as a common set of standards for all European citizens.

That is not necessary an easy message to send to European policymakers, many of whom have a firm belief that only deeper European integration will bring the citizens to the Promised Land. But what if these citizens don't actually all want to go to that same land? What if all they really want is bread and circuses?

I'm not confident that enough people have actually asked that fundamental question.

But I sense that, with draft proposals for a new Data Protection Directive currently being circulated amongst the highest levels within the European Commission, before they are made available to a wider audience, this question ought to have been debated much more thoroughly.

What could we see soon?

I expect that we'll see an attempt at joined-up thinking between European and American policymakers. But there will be a tension between regulators who feel a desire to impose detailed rules and those who want a looser approach. And I sense that most of these discussions will pass the general public, and the internet application developers, by.

I sense a twin track approach to privacy developing momentum. With regulatory rules on the one side, and self-regulatory standards emerging, which may not be as tight as the formal rules but which basically deliver (most of) the goods.

And I sense a tension increasing between politicians (and a few regulators) who resent the way that self-regulatory initiatives gain momentum, and those who are less willing to endorse a more pragmatic approach.

What will the public want?

I don't think that most of the public will really want too many rules. We all break enough of them every day, anyway. To my mind, the public basically want circuses. If they get something which entertains them, then they'll, for the most part, be happy.

Bu enough of what I think will happen. Whatever does happen will be happening soon. And I am looking forward to playing my part, however minor that may be, in shaping the final outcome.

Sunday, 18 September 2011

I've been having a bit of a debate with colleagues about what advice to offer the victims of these sneaky spam campaigns that are currently circulating. You know, the ones where the victim receives a text advising them that they have not yet claimed that money they were due for that recent accident. Or that someone was able to sort out their outstanding debts. Or that if a they took out a bank loan prior to 2007 then they were almost certainly entitled to £2900 in compensation. Well, that’s the figure they mentioned to me when they sent last Monday’s spam text.

You know the sort of people who are behind these sneaky campaigns. Blaggers and crooks. And when I use those descriptive terms I'm referring to both the people at the bottom end of the chain, those who actually send the texts, and the (probably better dressed) people at the other end of the chain, whose role it is to offer professional services to the victims who have so identified themselves by responding positively to the texts.

Some professional service. Indeed, some profession it is that condones such sharp practices.

Anyway, the big debate is all around whether potential victims should be advised to reply to this stuff with the usual stop command, or whether they should simply ignore the messages.

Every sinew in my body urges me to advise anyone so affected to reply stop. It's the universal command which responsible advertisers have been preaching for as long as I can remember.

But others in the business are suggesting something else. They feel that any response to such messages only serves to notify the sender that there is a real person at the end of this phone, and the only responsible thing to do is to ignore it. I don't have as much faith that the general public will understand such a complicated concept. How will they know how to distinguish between these sneaky messages and the standard sort of spam?

I know that, on a bad day, I'm likely to unable to tell the difference. And I also know that, even on a good day, there’s no way that someone like my mum would be able to distinguish between the good ones and the sneaky campaigns.

In my view, in instances like this we need to get the customers angry. Really angry. And I think the best way get them really angry is to encourage them to type the usual stop reply, and then they can get really miffed when the miscreants ignores them. Next, they can complain bitterly to whichever regulator wants to join in and give these bad guys a good kicking.

Depending on what professional service they are selling, it could be our chums from the Office of Fair Trading, the Ministry of Justice, the Solicitors Regulation Authority, the Direct Marketing Association, local Trading Standards officials, PhonepayPlus, Ofcom - the list could drag on for some time.

The point, I suppose, is that there are teams of good guys to go after these bad guys, once someone has worked out who they are and where they come from. So this is why I think we need some volunteers to help carry out a cunning plan. Let’s be almost as devious as them. We, the data protection professionals, should reply to these bad guys. Lets wind them up, if needs be. Let’s dream up some credible story about us being in need of their services, and then let’s lead them along, getting as much information as we can about them for the sole purpose of sneaking on them to the regulators, the next time we get spammed. Where revenge and retribution will surely follow.

I don't often condone sneaky stuff, but in cases like this, I think its worth it.

Friday, 16 September 2011

Not Portcullis House, which is where Information Commissioner Christopher Graham was on Wednesday morning. No, I was at Chatham House – “the House” – so you’ll appreciate that I’ll be taking even greater care not to identify anyone I was chatting to. Chatham House is both the name of the building in St James's Square and the name by which the Royal Institute of International Affairs is widely known. Its mission is to be a world-leading source of independent analysis, informed debate and influential ideas on how to build a prosperous and secure world for all.

The reason? To discuss the aspects of a recently launched report “Cyber Security and the UK's Critical National Infrastructure”, written by Paul Cornish, David Livingstone, Dave Clemente and Claire Yorke. Sponsored by Detica, it’s part of a series or reports that have been commissioned to try to understand what the problem actually is, and what it is that opinion formers and decision takers can do to address the issues that arise from the problem.

The methodology? By talking to a bunch of senior executives from private sector organisations, the analysis team took particular care to note the language that was used by the executives as they responded to interview questions, to assess just how deeply they appeared to care about a range of issues.

What did the report actually conclude? In a nutshell:Government cannot provide all the answers and guarantee national cyber security in all respects for all stakeholders. As a result, Critical National Infrastructure enterprises should seek to take on greater responsibilities and instil greater awareness across their organizations.

All organizations should look in more depth at their dependencies and vulnerabilities. Awareness and understanding of cyberspace should be 'normalised' and incorporated and embedded into standard management and business practices within and across government and the public and private sectors.

Cyber terminology should be clear and language proportionate to the threat. It should also encourage a clear distinction to be made between IT mishaps and genuine cyber attacks.

Research and investment in cyber security are essential to meeting and responding to the threat in a timely fashion. However, cyber security/protection should not be the preserve of IT departments but of senior executive boards, strategists and business leaders and it should be incorporated into all levels of an organization.

The response from the audience? Well, surprisingly, a number took up a theme that emerged from a meeting I blogged about on 7 September. And it was about the sort of people who will, in increasing numbers, be responding to cybersecurity threats.

These people are going to be a new breed of respondents.

They’re not all geeks, or nerds. They won’t be dressed from head to toe in Primark. Or George at Asda. Or wear thick glasses and have really pale complexions.

These guys are going to be different. They’re going to be much cooler than the geeks. They’re more likely to shop at Aubin & Wills. Or at Alexander McQueen. Or at Paul Smith. A bit of bling is going to be ok. And tatts. And they will be wearing their hair any way they dare.

We’re talking of a new breed of cyberpeacekeeper. Like someone a lot of us are going to want to aspire to become. Matt Damon. Not Alan Cumming. Beth Bailey and Tariq Masood. Not Katy Price or some Big Brother contestant. Style. Confidence. Good humour. Athletic. Caring. With integrity. Get the picture?

The good guys are going to beat the bad guys by being guys that most of us would want to be around.

Of course there will always be a need for some nerds and geeks - I’m not saying that nerds add geeks are unnecessary. But what I am saying is that as well as the nerds and the geeks, there will be this new breed of cyberhero. And they’ll be masters of the “translation layer”, with an ability to engage with and convert technical terms to the most senior of Board members, and get them to “get it” once and to keep “getting it”.

And how can you join this new breed? Where do you go to sign up? Errr, not exactly sure yet – so keep up those computing and maths studies at Uni, and by the time you’ve graduated I’m sure that they’ll be some really cool jobs that are well worth applying for.

So, if you’re good enough, you might just get an opportunity that most will only be able to dream about.

Pictures don't lie. Security was increased to such an extent at Portcullis House last Tuesday morning that the ratio of highly trained House of Commons security staff to members of the public numbered 1:1 for the appearance of the Information Commissioner before the Justice Committee. Actually, this is not quite true. For the first half hour of evidence giving, there were two members of the public in the Grimmond Room. But one of them was obviously overwhelmed with what he had heard, and had left by the time this image had been taken.

Security was tight (or “heightened” in official terms) because an international arms fair was taking place at the ExCeL centre in London’s Docklands, and those who are paid to worry about such things obviously thought that protesters might make a stab at disrupting the important work of Parliament, as they couldn’t get sufficiently close to the arms dealers down the river.

As for me, I wasn’t in Parliament last Wednesday. But the previous day I was a couple of hundred yards away, attending a meeting in Ministerial Conference Room B at the Department for Business Innovation and Skills. At BIS they didn’t take security quite as seriously as their colleagues at Portcullis House. After I had spoken to a harassed man in a fluorescent jacket who was minding the front door on Victoria Street, and who didn’t have my name on his list, I just ambled past him and shuffled over to a nice lady on the reception desk (who did have my name on her list). Then, I walked straight through the next (manned) security point with a work colleague, and we made our own way to the Ministerial suite on the 7th floor. This came as a quite bit of a surprise to the civil servants who were waiting to be told we had arrived downstairs, so that they could pop down, authenticate us as genuine visitors, and escort us back up to the (supposedly secure) suite of Ministerial Conference Rooms.

They certainly made sure they escorted us out of the building at the end of that meeting.

Anyway, let's get back to the plot.

If you want a good summary of Chris Graham’s remarks to the Committee, you can do no better than to point your browser to Chris Pounder’s Hawktalk blog. Or you can read the ICO’s press release. So there’s no need for me to say too much about it. Other than to echo the plea that the Leveson Inquiry (into, among other things, the general culture and ethics of the British media) should not be used as a ploy to further delay the introduction of custodial penalties for those who commit serious data protection offences. As lots of observers keep pointing out, until the "fines only" option is changed for more serious data protection offences, the courts simply don't have the ability to impose a wide range of penalties, such as community service orders, and suspended (or actual) custodial sentences. Thank goodness for the Computer Misuse Act, and for the Proceeds of Crime Act, which do have penalties that prop up the pretty light regime introduced for DPA offences. Oh yes, and the Misconduct in Public Office offence, which can sometimes be applied, too. That one carries a maximum sentence of life imprisonment. I kid you not.

And, if you can believe it, it now appears that the Crown Prosecution Service are trying to use the Official Secrets Act to get to the bottom of various cases where personal information had been awfully abused. That Act carries a maximum custodial penalty of two years and an unlimited fine.

My plea to the legal academics who read this blog is simple: please ask a couple of your brighter students to write a dissertation entitled "Who's been a naughty boy, then?" The purpose would be to create an analysis where (essentially) the same acts were committed by, say, medical students, bank employees, DVLA officials, police officers, soldiers, journalists, phone company employees and ICO staff members, etc. Then, we might all appreciate what the entire range of criminal, civil (including employment law) and regulatory penalties is that might be applied to that miscreant and to their employer. I am certain that it will make very interesting reading.

Now let’s hope that, for future appearances before Parliament, there may be many more members of the public who will make the effort to turn up and listen whenever Christopher Graham is invited to give any evidence. If we’re not careful, we might give the impression to the casual parliamentary TV viewer that no-one cares about data protection. We can do better than that. It’s always better hearing this stuff at first hand.

And, if you behave yourself, you can even try to have a few private words with the Commissioner, afterwards.

Postscript:Many thanks to those who have recently bought a copy of my Book, “From Fear to Hope”. (For more information, see my blog posting dated 13 September) After just 5 days on sale, I’m told that it’s stormed the Amazon’s best sellers list, and is currently their 48,976th most popular book. It’s slipping down the chart, as earlier today it had hit the dizzy heights of number 46,839. Let’s see what we can do together to get it into the top 25,000!

Tuesday, 13 September 2011

If Commissioner Viviane Reding were ever to read this blog posting, I’m sure that the next thing she would do is take me off her Christmas card list. Or at least she would make sure that I’m not, and never will be, on it.

Why?

Because I propose to demonstrate a brilliantly simple way of evading the proposed “right to be forgotten” principle.

And how did I come across this cunning gem of an idea?

Well, over the weekend I was looking at references to myself on Wikipedia (as you do ...) and found a number of broken links to some material I had posted some 10 years ago. I’m not at all surprised that the links were broken, as I had last used that Internet Service Provider a few years ago. But what did surprise me was the speed with which the Internet Archive was able to locate some of this material and bring it back on line for me. In a matter of a few seconds, material that I had not accessed for over a decade was suddenly available again.

Thank you, Internet Archive.

But, I thought to myself, what might happen of one day even the Internet Archive were to decide that my stuff simply wasn’t worth preserving and retrieving? What else could I do?

I had a flash of inspiration after lunch on Sunday and surfed over to the self-publishing guidance on Amazon.com. How hard, and how expensive would it be to self-publish this “forgotten” material?

The answer staggered even me. It’s actually quite easy. If you can create a blog like this you can do most of the work yourself, while the clever computers at Kindle do all the complicated stuff. And, it’s not expensive. If you can afford to create a blog like this then you can afford to self-publish.

By the time I had gone to sleep on Sunday, I had found and revised the original manuscript which was on an old laptop, agreed royalties and completed the legal stuff, created a new front cover, and sent a new electronic version to my new friends at the Kindle Store. First thing on Monday morning, I was able to log onto Amazon.com, search for my book, buy it, and have it delivered to the Kindle application on my iPad in seconds. Bingo.

Talk about progress. A decade ago, I was having problems finding a publisher who had sufficient confidence in the subject matter to commit themselves to publishing an edition in print. In the end, I couldn’t find one. So a few typed copies languished on a shelf for a while, read by just a handful of people. Some of these people, who didn’t want to have it published as it didn’t portray them in the best of lights, did little to help it get read by anyone else. Last weekend, I found that I could dispense with the overheads associated with commercial publishing houses and do most of it myself in the space of 10 hours.

And the subject matter of the book?

Actually, it’s quite relevant – as it relates to a charity which has been associated with large numbers of people working with what we politely call “sensitive data”. The Terrence Higgins Trust was formed in November 1982 by some of his close friends. Terry Higgins was not first person to die from an AIDS-related illness in Britain, although he was the first to be publicly identified.

This book charts the first 15 years of that organisation, as it transformed itself from a volunteer led charity to a more professionally run organisation. Within years of its establishment, the Trust was experiencing massive growth. Large numbers of people were becoming HIV positive and, with the introduction of AZT, the first effective drug treatment against HIV, clients were generally not dying as quickly as before. This created further demands in terms of counselling and support, as well as the need for more campaigns to warn people of the possible dangers to their health.

The early informal decision making structures imploded under the pressure caused by the growing demand for the Trust’s services, which in turn led to a series of crises of identity and organisation. More paid staff took responsibility for work, which had previously been carried out by teams of volunteers, and there were frequent disagreements over the direction the organisation was taking. Rapid changes in personnel, both paid and voluntary ensued.

This book, which is divided into three parts, charts the development of the Trust.

The first part recounts how it was managed as it struggled to cope with the shifting pattern of demands brought about by the AIDS epidemic. The second part records how it developed its health promotion work. Literature, advertising campaigns, outreach work and international conferences all played their role. The third part describes the services, which were offered its clients. Individual counselling, support groups, the telephone helpline, buddies, advocacy and advice work, practical help, hardship funds and commemoration ceremonies greatly helped improve the welfare of people who were either infected or in any way affected by HIV.

As well as the statistics, this account tells the human story, about the people who have worked for the organisation, both in a voluntary and a paid capacity, and about some of the many thousands of people who have been assisted because their lives have been adversely affected by HIV and AIDS.

So it’s an account about people who, and people who helped people who were ill. Some were prisoners, injecting drug users, incompetents and/or thieves. Some of these injecting drug users, incompetents and thieves were volunteers or employees of the organisation. So how can it be possible to write about such people fairly? Is it right for some people to demand a right of anonymity, if their actions have actually had a profound impact on the lives of others?

I think I’ve managed to deal with the competing interests of those who were bad and those whose past deserves just a slight amount of airbrushing.

Feel free to invest £2.89 ($4.59) in a copy for your own Kindle device and let me know what you think. It won't make me rich, but it will provide a memorial to those who did some mighty fine things - and some mighty stupid things - between 1982 and 1997.

Wednesday, 7 September 2011

Every once in a while, the great and good of the British cyber security community get together for a reality check. Are their prejudices the same as everyone else’s prejudices? Are the interests they are striving to protect equivalent to the interests of the English community as a whole? Or is a void developing, with Government protecting one set of interests, and Civil society feeling increasingly alienated as their cherished freedoms are steadily eroded.

And last night, a select gathering of this great and good met at Simpson’s-in-the-Strand to find their thinking challenged by Ben Hammersley. Ben is a pioneering British internet technologist, strategist, and journalist, currently based between London and New York. He specialises in the effects of, and strategy needs resulting from, the post-digital, post-internet age. He may wear bright red trousers and sport tattoos on his arms, but he’s equally at home in Finsbury Park and Downing Street,- and that gives Ben just the right sort of street credibility for his opinions to get a hearing, rather than being dismissed entirely, in the sort of company that surrounded him last night.

As the meeting was held under Chatham House rules, it would not be fair to attribute the points I’ll be making in this blog to remarks to any identifiable individuals who contributed towards last night’s discussions, So I won’t.

For those who need reminding, when a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.

But I will jot down, in no particular order, a couple of thoughts that were profound enough to prompt me to note them on the back of the dinner menu.

The internet, in the developed world, has really become the defining moment of civilization. When Governments turn off the internet, they turn off modernity.

The internet has also allowed networks to develop, which have destroyed hierarchies that have previously been replied upon by elites to govern civil society. Opinions are no longer the privilege of the elders – anyone can review anything these days, and their reviews are available to anyone with an internet search engine. Of course, what would be useful is for someone to provide a “translation layer” between the views of the pre-internet and post-internet generation.

In terms of data sharing on the internet, and contrary to the opinions of older generations, the younger generations really do understand the value of their data. They’ve done the sums and find themselves in profit. They totally get it. They sell their data in exchange for a better world they want to live in and they are very conscious of this.

Their support for the development of services based on publicly available datasets is clear - their mantra is “you show me yours – I’m already showing you mine.”

In terms of security, most people don’t have that much at risk. A security breach may mean they lose their photos, or they have to fill in a few forms to get some money back from their bank, but it’s not as though they are going to die. And they feel that most parts of the critical national infrastructure are not connected to the internet either, so the threats are actually much less that some in the security industry make out.

What is of concern is the grotesque over securitisation of trivial services. Why is it necessary to have to many complicated passwords or other internet access tokens to obtain stuff which is actually not that important? Why is it necessary to undergo such detailed authentication procedures is all someone wants to do is obtain a couple of visitors parking permits from a local authority’s on-live “services” desk? Or has this over securitisation process actually resulted in us using the same few passwords to access everything on-line, as we are not able to protect the stuff that really needs to be protected (like our banking details) with unique passwords that we can actually recall with ease?

Did, Richard Reid, also known as the shoe bomber, actually achieve one of the fundamental objectives of terrorisits back in 2002, which was to sow mistrust and a sense of alienation between civil society & air travellers, on the one side, and airline & government security officials, on the other side, through the adoption of preposterous security precautions that are now imposed on all travellers? Who, in their right minds, actually feels safer because they have had to take their shoes off and throw away virtually all of the liquids they are carrying “landside”, when they have to buy those same liquids from the airport retail outlets as soon as they get “airside” ? Or are these precautions another example of the over securitisation of a pretty trivial service?

Some of the participants had very radical ideas as to how to change the current image of the security industry. But they are far too radical to be reported in today’s posting. I’ll mull on them and see what I can do to draw some attention to them, though.

If you’re ever invited to an event hosted by the Information Assurance Advisory Council, I do urge you to accept. You never know who you might bump into!

Sunday, 4 September 2011

Look out for this icon when surfing the internet in future. Promoted by the Internet Advertising Bureau since April 2010, it’s the icon which notifies users that some form of tracking is going on. I won’t get into the argument about the extent to which the icon has been taken up – other than to note that estimates about its current use appear to differ quite considerably.

But surely that’s not the point, At least it’s a welcome step in the right direction – and for that, the key players ought to be congratulated. This turquoise triangle with a lowercase letter "i" at its centre is to be known as the Advertising Option Icon. By clicking on the triangle, you can view a disclosure statement. And you should be able to click through to a Web page that gives you the choice to opt out of being tracked.

Some privacy activists don’t believe this is good enough, and they have argued that it gives only general information on how advertising and social networks track Internet users. These activists are most upset that self-regulation just appears to have been focused on getting users to opt in to being tracked via using their social data, video and other free downloads and engaging online apps that, they argue, increasingly work via stealth means.

These activists want to see the US Congress pass a do not track law. The Federal Trade Commission will be working with the Article 29 Working Group to consider how the US and EC approaches might be co-ordinated, so as to give internet users an equivalent level of protection, regardless of where they are using their devices to access the internet. Given their entrenched historical positions on privacy issues, however, it’s going to be really interesting to see how a common solution can be developed. It looks as though both the EC and the US blocks are trying to arrive at the same solution, but they are approaching it from very different perspectives. It reminds me of the situation in the Middle East, where different groups of religious interests want to claim the same parts of Jerusalem for their own, but for very different purposes.

Let’s see how the discussions pan out. And lets settle down for a considerable period of discussion, too.

Meanwhile, let’s not decry icons such as these too much just yet. They may not meet every legal privacy requirement ever imposed by the EC, but surely they are better than nothing.

In the privacy game, we celebrate small steps towards nirvana. There are no giant leaps forward for mankind.

Friday, 2 September 2011

Fancy that! Within hours of me posting yesterday’s blog, praising Chris Pounder’s excellent article on Riotous behaviour: which law legitimises the blocking of communications? I see that his article has today been reproduced in full in The Register.

Chris has obviously got a number of admirers. And his views do deserve to be considered with considerable care.

Good on you, Chris. And the guys at El Reg, for giving it more publicity.

Thursday, 1 September 2011

Chris Pounder is one of the great beasts of the British data protection jungle. A powerful advocate of data protection, privacy and human rights theory, his principled approach to the issues of the day is respected by many, and feared by a few.

Why feared? Well, in his regular Hawktalk blog, he frequently points out why various political initiatives can be extremely hard to square with the well established principles of British law and common sense. And it can be hard for some policy wonks to realise that the initiative they’ve just drafted on the back of an envelope won’t work in practice – or in law.

Take today’s blog, for example, on Riotous behaviour: which law legitimises the blocking of communications? He’s deconstructed political sound bites that emerged in the immediate aftermath of last months' incidents and has analysed arguments which must surely also have been part of the Ministerial briefing papers that were prepared to support the initiative under discussion. Or if they weren’t part of the briefing paper then, I expect that they will be very soon.

Full marks to Chris for drawing attention to basic principles that ought to be given an extremely careful examination. I have every confidence that the Home Office will give these principles their full attention. I also expect that Chris will shortly be placing a Freedom of Information request to that Office to ask which organisations have been consulted when developing and implementing pubic policies in such a sensitive area.

I have no public views to offer on such a sensitive issue at this time. Other than to remark that Chris appeared to be very well briefed on what he was writing about.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.